I try to setup Ubuntu with full disc encryption on top of Hetzner Cloud. I got everything to work except the network connection in initramfs. Thanks to the UI console its possible to unlock, but I need SSH (dropbear) in init. I successfully using the same configuration on their root servers without any issues.

If I setup dropbear to get the IP by dhcp always resulting in NETWORK IS UNREACHABLE. But it gets the right parameters from the dhcp server. I asked Hetzner Support. They told me they think the dhcp client does not support RFC 3442 Classless Static Routes Option and recommended to add a static route with ip r a 172.31.1.1 dev ens3. Like on this Question I added the route, but always got the same error: NETWORK IS UNREACHABLE. I tested to set the route in different scripts, but nothing changed. I tested Ubuntu 16.04 and 18.04.

1 Answer
1

had same problem / small discussion with tech support that it cannot be that the initramfs fails only in Hetzner cloud instances like this.

But Hetzner Support repeately states only that their DHCP server are compliant to RFC3442 which announces the default host route to the internal cloud GW. So this must be a problem of the initramfs dhcp client and they couldn't (wouldn't ?) try setup a perhaps possible BootP response e.g. with the right IP=... parameter.

I suggested to update their documentation for this but it seems the "feel free to use our wiki for documentation" ...
The (marketing ;) ... ) answer here is then not right:

Hetzner_OL 6 months ago [-]

Thanks for the suggestion about Docker/dbaas. I have passed it on to
our development team. We don't usually publish what new products and
features we are developing until they are ready, but we will continue
to post information about upgrades as they develop.

Tested and worked fine for me. I could setup / snapshot the smallest image.

The encrypted snapshot is ~18 GB compared to 0,5 GB unencrypted but snapshot price is still fine compared to improved security (normally Openstack based systems could/should have a key manager service which can this transparently. ;)

To enhance above answer: I found out that the image can be made smaller by run the cloud instance itself in rescue mode and encrypt only the minimal size of 1500 MB - here my basic calls to install script splitted in two parts: SERVER_USER="root"DEBIAN_VER="9"SSH_CALL="sshpass -p ${SERVER_PASS} ssh -akx -i $(ls /srv/pillar/salt-cloud/*.pem | head -n 1) -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes ${SERVER_USER}@${SERVER_IP}"
– Reiner030Feb 27 at 21:13